Nearly three years after the adoption of the General Data Protection Regulation (GDPR) and the countless fines issued by national data protection authorities, the first successful litigation challenging the value of a GDPR fine issued offers valuable insights for the future of GDPR litigation and data protection compliance more broadly.
First landmark case: 90 percent fine reduction
In 2019, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) issued a €9.55 million GDPR fine to German telecom provider 1&1 Telecom GmbH (1&1) for an insufficient authentication procedure in one of its call centers. A caller was able to obtain the personal contact information of a telecom user solely by providing the name and date of birth of the customer to the call center agent, resulting in the disclosure of personal data to an unauthorized user.
Notably, 1&1's authentication procedure was not unusual in the industry. There was also no market standard requiring stricter security protocols. Regardless, BfDI found that the security protocols pertaining to the customers' personal data were insufficient under Art. 32 of the GDPR requiring companies to ensure a level of security appropriate to the risk. Although 1&1 fully complied with BfDI by increasing its security requirements following the security breach, BfDI maintained that the fine of €9.55 million was appropriate given the annual turnover of 1&1 at a corporate group level.
In response, 1&1 challenged the fine before the Regional Court of Bonn ("Court"). On November 11, 2020, the Court held1 that 1&1 violated Art. 32 of the GDPR but ruled that the fine amount issued was disproportionate to the nature of the violation and consequently reduced the fine by more than 90 percent to €900 thousand. The key takeaways of this decision are:
Is internal responsibility irrelevant for a fine?
First, the Court had to determine whether the violating act, as described by BfDI in their penalty notice, was sufficient to impose a fine, as no concrete wrongdoing of any employee of 1&1 was evident.
Since German law does not recognize direct liability of companies, it is necessary to establish concrete wrongdoing by employees of the company. According to German law, a company can only be fined if a concrete wrongdoing of individuals in management or supervisory positions is established, which then can be attributed to the company (see Section 30 of the German Act on Regulatory Offences).
However, following data protection scholars, the Court held that principles of antitrust law also apply to fines under Art. 83 (2)-(4) of the GDPR. The Court relied on recital 150 GDPR, which states that imposing an administrative fine on an undertaking should be understood in accordance with Art. 101 and 102 of the Treaty on the Functioning of the European Union, which recognize direct liability of undertakings for any wrongdoing of their employees without the need for any concrete wrongdoing by individuals in management or supervisory positions.
The opinion of the Court is not without opposition. In a more recent decision from February 18, 2021, the Regional Court of Berlin took an opposite view on the matter.2 It declared a €14.5 million fine against a German real estate company invalid, as the Berlin Data Protection Authority did not specify concrete acts by management leading to a violation of the GDPR in its fine. Notably, the decision against 1&1 is final, while an appeal against the decision of the Regional Court of Berlin is pending.
As a consequence, it remains open whether wrongdoings of individuals in management or supervisory positions are required to issue a GDPR fine in Germany. This and many other questions under the GDPR will ultimately end up before the ECJ for a final answer. Until then, compliance with the GDPR is crucial. Companies need to be aware that even violations by ordinary employees can result in substantial fines.
Basis for determining GDPR fines
Second, the Court provided some long-awaited guidance regarding the basis for determining GDPR fines.
In line with its argumentation outlined above, the Court applied principles of antitrust law to the calculation of the fine. Accordingly, the maximum fine needs to be determined based on the annual turnover (a) at the corporate group level (rather than at the level of the entity violating the GDPR) and (b) in the financial year before the fine is issued (rather than the financial year before the actual violation of the GDPR or judicial decision).
Since 2019, German data protection authorities used a calculation model that initially determined a basic value for the fine derived from the turnover of the undertaking and then multiplied that value by a factor depending on the severity of the GDPR violation.3
Highlighting that Art. 83 (2) of the GDPR focuses solely on offense-related criteria, the Court held that annual turnover, in itself, is not a decisive factor in calculating a fine. Annual turnover merely provides the overall framework for a fine and should only be considered in assessing whether a fine is "effective" and "dissuasive" as required by Art. 83 (1) of the GDPR. Thus, the Court declared the turnover-centered calculation model as incompliant with basic GDPR principles.
The Court further pointed out that the fine needs to be "proportionate" and may not present an undue hardship to the company or serve as an excessive reaction to the specific violation. The Court, however, did not provide an explanation in determining that the €900 thousand for a single violation is appropriate. The Court only stated that 1&1 already suffered a reputational loss through the publication of the high fine, which needs to be taken into consideration.
The 1&1 decision provides several lessons for businesses:
- There is a need for businesses to closely follow legal developments and market practices in order to adjust their assessment of compliance of all company processes.
- Even minor violations of the GDPR can be costly as GDPR compliance is not limited to those in management positions.
- GDPR fines need to be proportionate to the particular violation and any excess can be challenged in court.
In a way, the decision was a success for both BfDI and 1&1. While BfDI was able to demonstrate how costly even small violations of data protection law can be, 1&1 was able to reduce the fine by more than 90 percent.
1 Regional Court of Bonn, decision of 11 November 2020, 29 OWi 1/20.
2 Regional Court of Berlin, decision of 18 February 2021, (526 OWi LG) 212 Js-OWi 1/20 (1/20).
3 For details, please see the Technology Newsflash of 15 January 2020 on the DSK Calculation Model.
Martin Junker (White & Case, Summer Associate, Berlin) co-authored this publication.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2021 White & Case LLP